Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

RIG EK Still Makes Waves, This Time with a Stealthy Backdoor

The main purpose of Grobios malware is to help attacker establish a strong, persistent foothold in a victim’s system, in order to drop additional payloads later.

Exploit kit activity has been declining since the latter half of 2016, but the RIG EK seems to buck the trend. It’s been involved in ongoing activity involving a wide range of crimeware payloads; and the latest campaign saw RIG dropping the Grobios malware, which is tailored to be a really stealthy backdoor.

The campaign was first seen in March by FireEye Labs, redirecting victims (mainly in the U.S.) to a compromised domain with a malicious iframe injected into it. That iframe in turn loads a malvertisement domain, which communicates over SSL and leads to the RIG EK landing page. RIG then loads a malicious Flash file that drops the Grobios trojan.

The trojan’s main hallmark is an impressive arsenal of evasion and anti-sandbox techniques, according to FireEye researchers. It also uses multiple anti-debugging, anti-analysis and anti-VM techniques to hide its behavior and C2 traffic.

“The main purpose of Grobios malware is to help attacker establish a strong foothold in the system by employing various kinds of evasions and anti-VM techniques,” Ali Islam, director of FireEye, told Threatpost. “Once a strong foothold is established, an attacker can drop a payload of his/her choice, which can be anything from an infostealer to ransomware, etc.”

FireEye researchers said in an analysis on Monday that Grobios’ efforts to evade detection are a grab-bag of tactics: The authors have packed the sample with PECompact 2.xx, for one. Also, the unpacked sample has no function entries in the import table; it uses API hashing to obfuscate the names of API functions it calls; it parses the PE header of the DLL files to match the name of a function to its hash; and, the malware uses stack strings.

Also, just before connecting to the C2 server, the malware does a series of checks to detect virtual machines and malware analysis environments. It can detect almost all well-known VM software, including Xen, QEMU, VMWare, Virtualbox, Hyper-V and so on, according to FireEye, and compares the machine against a list of hashes of blacklisted driver names.

For persistence, Grobios gets very aggressive: It drops a copy of itself into an application folder, masquerading as a version of legitimate software installed on the victim machine. It then creates an Autorun registry key and a shortcut in the Windows Startup folder. From there, it drops multiple copies of itself in subfolders of a legitimate program, again masquerading as different versions of installed programs, and sets an Autorun registry key or creates a scheduled task.

The persistence increased the danger of the campaign, because it allows Grobios to lay in wait until its operators are ready to send additional payload drops.

In general, the campaign is interesting given that exploit kits have waned in usage. This is largely because systems are becoming less vulnerable, according to Zain Gardezi, FireEye vulnerability researcher. Users are using a wider variety of browsers and are often disabling Flash, making it harder to infect customers with old patched exploits and lessening the threat surface for those wielding EKs.

“More and more users are shifting towards more secure browsers, and Flash support is slowly dwindling over time as well,” Gardezi said in an interview. “Due to this, cybercriminals are investing in zero-day discoveries that are usable in drive-by attacks rather than [old vulnerabilities and] just simple social engineering campaigns where they have to trust human psychology doing their work for them.”

However, he added that the RIG EK manages to remain quite attractive to attackers that make “spray and pray” tactics their modus operadi, because it’s a generalist with wide appeal.

“[RIG] is usually never the pioneer to add zero-day exploits, and it only follows after other EKs have already incorporated them,” Gardezi explained. “RIG is mainly used by multiple actors that mostly rely on throwing out malvertisements in hopes of infecting as many users as possible. RIG has always been the EK with wider variety of campaigns, in terms of quantity of propagation as well as crimeware variety.”

The moral of the story is that EKs continue to put users at risk – especially those running older versions of software. Enterprises, as always, should make sure their network nodes are fully patched in order to avoid falling victim to this basic threat.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.